1. Technical Field
The present invention generally relates to the analysis of malicious code and, more particularly, to a malicious code analysis device and method based on an external device connected via a USB cable, which are capable of observing and analyzing the actual activity of malicious code that recognizes that the current environment is a malicious code analysis environment and that avoids being executed, and which enable a connection to be easily made based on a USB cable.
2. Description of the Related Art
Generally, when malicious code is analyzed, methods for constituting an analysis environment in a clean state using environment restoration technology and executing and analyzing the malicious code in a virtual environment (or a virtual machine) have been widely used. Here, a method using a virtual environment is advantageous in that, even if malicious code is executed, the activity of the malicious code can be easily separated from the actual user environment. Further, the method using a virtual environment is advantageous in that, after malicious code is executed, the execution environment can be easily restored to the original clean environment in order to execute additional malicious code, and thus most malicious code analysis is currently performed based on the method using a virtual environment.
As a virtual environment that is used in a malicious code analysis system, there is VMWare, Virtual-PC, Quick Emulator (QEMU), or Kernel-based Virtual Machine (KVM) in the case of a PC, and there is TaintDroid or the like on an Android OS in the case of a mobile terminal. However, as the analysis methods using virtual environments become known, methods which enable malicious code to recognize the virtual environments have recently been developed. By means of these methods, in a virtual environment, an operation differing from that performed in an actual environment is performed, thus making it difficult to analyze and detect malicious code.
In order to observe and analyze the actual activity of malicious code that uses such an avoidance technique, a definite solution is to execute malicious code in the actual environment and to observe, extract and analyze the activity of the target malicious code from outside the malicious code execution environment (Out-Of-Box/Out-Of-Guest). Despite this solution, there are still several issues to be solved in the actual environment-based analysis. A representative issue thereof is to extract the activity of malicious code from outside the malicious code execution environment. Conventional technology uses a method for, after malicious code has been executed, extracting the modified state of the hard disk of a target system (hard disk forensics) and determining the activity of the malicious code. However, since this method is intended to extract only the results of modifications made to the target system after the malicious code has been executed on the target system, it is impossible to observe the activity of the malicious code in detail while the malicious code is being executed, and thus the malicious code cannot be accurately analyzed.
Further, conventional technology uses a method for extracting and storing network packets that are transmitted/received to/from the outside of an analysis target system to observe network activity, and thereafter analyzing the address or data pertaining to an external network that the malicious code attempts to access using the stored network packets. Even in this case, when malicious code uses encrypted data during network communication, the analysis of malicious data in this way is impossible.
In connection with this, Korean Patent Application Publication No. 10-2015-0129357 discloses a technology related to “Apparatus and Method of Analyzing Malicious Code in Actual Environment.”